Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Computer take over (Resolved)

Luckycharm

Posted 13 February 2005 - 11:03 AM

Luckycharm

Member

Member

30 posts

Several days ago, I woke up to my computer being rebooted. As I get to my screen, the mouse is moving by itself, opening programs such as my virus scanner and firewall. I keep my computer constantly updated with xp, and virus scanner/firewall. How did my computer get taken over? I looked on your what to do first page before posting. I have done them all. Pretty much it was clean, except spy bot found 5 items the others didn't. There is one thing I did notice. In the startup menu in msconfig, there is a blank space but off to the right is still an hklm............/run command for whatever is in the blank space. Can someone help me?

Advertisements

Dragon

Posted 13 February 2005 - 03:58 PM

Dragon

All Around Computer Nut

Retired Staff

2,682 posts

Hello

Please look over the Following Entries I have listed, run Hijack This again and check them and then, making sure you have No Internet Explorer Windows open, including this one, Press the "Fix Checked" Button with HijackThis.

Dragon

Posted 14 February 2005 - 09:13 AM

Dragon

All Around Computer Nut

Retired Staff

2,682 posts

hi again, sorry for the delay,

Please turn off spybot: search and Destroys Teatimer application and try the fix again. There should be an icon in your systray that when you move your mouse over it should say teatimer on it. right click to turn it off, once you have done that run Hijack This again and fix those above mentioned entries.

if after rebooting they come back again go into safe mode by restarting your computer and tapping the F8 key several times. you will get a menu of boot options. choose safe mode and then use hijack this to fix those entries.

Luckycharm

Posted 14 February 2005 - 11:41 AM

Luckycharm

Member

Topic Starter

Member

30 posts

If Tea Timer is installed there is not an Icon present, but I right clicked on spybot and turned it off before I scanned. I did as you said, removed the two, rebooted, they came back. Rebooted in Safe Mode. Fixed the two, and another two which only seem to appear in safe mode. They are the only '01' and 'R3' in the list. Then rebooted. The original two are still there, however, now my antivirus' firewall has an icon. I didn't realize it had disappeared. By the way, what are with the ones with '(file missing)'. I'm going to show you the HJT in safe mode with networking, then the very next one will be back normal mode.

Dragon

Posted 14 February 2005 - 11:49 AM

Dragon

All Around Computer Nut

Retired Staff

2,682 posts

you Have A Variant of the CoolWebSearch Trojan.

Please Download CWShredder from http://cwshredder.ne...CWShredder.exel and run the Program twice. Press the "Fix Button" Let it fix all variants. Next, Close the program and Post a Fresh HijackThis log.

Luckycharm

Posted 14 February 2005 - 04:31 PM

Luckycharm

Member

Topic Starter

Member

30 posts

Before my first post I had run CWShredder, but it did not detect anything. I ran it again like you asked, and still nothing. In fact, I ran it in safe mode along with TDS-3, as well, with no results. But I'm going to give you the HJT for both safe mode and normal again, in case you need them. I had deleted the 'R3' and '01' in safe mode, it hasn't come back, so maybe that's a good thing. I dunno. Why can't I get rid of this sucker.

Luckycharm

Posted 14 February 2005 - 05:32 PM

Luckycharm

Member

Topic Starter

Member

30 posts

I deleted them in normal and safe mode after disabling both internal network cards in the laptop, and they all came back, I even deleted the "O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)"

Dragon

Posted 14 February 2005 - 06:10 PM

Dragon

All Around Computer Nut

Retired Staff

2,682 posts

download this reg tool http://www.xs4all.nl...s/regsearch.zip unzip it. run it and put this in to search the reg for 549B5CA7-4A86-11D7-A4DF-000874180BB3 and post the text file it makes and do the same for FDD3B846-8D59-4ffb-8758-209B6AD74ACC